Last week, the California Assembly’s Standing Committee on Privacy and Consumer Protection held a hearing to discuss the California Consumer Privacy Act. While many panelists from the private sector pointed out problems with the law, a few panelists defended the law, and some suggested that it didn’t go far enough. For example, Stacey Schesser, the Supervising Deputy Attorney General for the Privacy Unit in the Consumer Law Section of the Office of the California Attorney General, stated that the current law presents “unworkable obligations and operational challenges” for the AG’s office and suggested several significant changes. This week, California AG Becerra and state Senator Hannah-Beth Jackson announced a bill that would seek to implement the changes Ms. Schesser described into law.
The bill includes two proposals that could materially affect potential exposure for businesses under the CCPA:
- Private Right of Action: The current law allows any consumer whose unencrypted or unredacted personal information is breached “as a result of a violation of the duty to implement and maintain reasonable security procedures and practices” to recover statutory damages of up to $750 per incident. The private right of action is likely to be used in litigation, particularly over what constitutes “reasonable” practices, but at least it is limited to breaches. The new bill, however, would expand the private right of action to cover violations of any other section of the law, as well.
- Right to Cure: The current law requires the AG to give businesses notice and 30 days to cure alleged violations before the AG can seek an injunction and civil penalties. This 30-day cure period can provide a warning to businesses that are trying to comply with a confusing law, if their efforts fall short. The proposed bill, however, would remove the right to cure, leaving businesses immediately exposed for any violations.
In addition to these changes, the bill proposes to remove a provision that would allow businesses to seek guidance from the AG on how to comply with the law.
If the bill is enacted into law, these changes would be a boon to plaintiffs’ attorneys and privacy litigators. However, to use Ms. Schesser’s words, the changes would result in even more “unworkable obligations and operational challenges” for businesses.